Identity and Security is an important field in FinTech. This article provides a brief overview of identity management and how it applies to the banking sector.
Identity and Security is an important field in FinTech. This article provides a brief overview of identity management and how it applies to the banking sector. The article begins with a historical overview of identity management until modern times, when the three pillars of identity management were introduced:
The three pillars are physical identities (e.g. driver’s license), digital identities (e-mail address) and anonymity (heritage). It then discusses how these aspects play into the traditional banking system, as well as what implications they have for financial institutions today.
The first pillar, physical identities, can be used to verify someone’s identity in real life. For example a driver’s license or passport are forms of physical identity that can be used to identify one’s real-life self. Digital identities are more abstract and do not necessarily reflect the person’s real-life characteristics or behavior. This includes things like e-mail addresses, which are not always made public to identify someone in trusted systems. The third pillar is anonymity, or more specifically pseudonymity, which allows an individual to have multiple identities that can be chained together into a secure profile. This is important for matters of privacy and security, as the power of identification lies with the individual and not the system.
Identity management has been around since ancient times, starting with war. In regards to war, having a verifiable identity was important in order to know that each soldier who fought was actually a real person and not a spy (Figueiredo & Moraes). As society evolved, so did the forms of identity.
With advances in technological progress, people were able to move from physical objects as proof of identity to data representations stored on computers. With this transition came two problems: “how can you prove that you are the owner of an object?” and “how can you prove that you are yourself?”. It was not until the mid-1970s that engineers were able to solve these problems and create a secure identity management system (Identity Management).
These systems were used by companies to control their employees through creating an electronic database of employee information. This system can still be found in some companies today, such as banks and hospitals.
As society progressed, so did the technology for creating identity management systems. In the 1980s, companies were able to digitize their physical identities into digital representations. These digital representations are called “account identifiers”, which are identifiers that uniquely identify an account or an object on a computer system (Identity Management). Examples of this include a social security number or an email address. An account identifier can be used to indicate an object’s ownership, but not necessarily the owner.
In the mid-1990s, the concept of anonymous online identity began to grow in popularity due to people who used pseudonyms to protect themselves from social stigma. Pseudonyms combined with digital identity provided people with extra privacy while in a public forum. However this was not completely secure without a secure system for managing identities like access and auditing. The first major system for achieving this was X.509 certificates, which created a secure system through encrypting identities and giving them back a unique identifier (Pasquier). Public-key encryption is then used to protect the sender and receiver’s identities (Schneier). This technique was later adopted by companies such as SSL Certificates.
By the end of the 1990s, identity management was very sophisticated and companies were able to identify people based on a multitude of different identifiers. This led to the monitoring of employees through a system called “Identity Governance and Administration” (Figueiredo & Moraes). Identity management has changed significantly since its inception in ancient times, but it will continue to evolve as society changes.
The three pillars of identity management are physical identities, digital identities and anonymity. They all play an important role in the Internet, but their significance changes based on the system in which they are used. For example, when using the internet, digital identities are most useful for connecting an account to a person. However companies connect physical identities to accounts to link human behaviors with technological instruments and ultimately prove that a person is who he says he is (Pasquier). Anonymity is advancing our knowledge of identity management by allowing individuals to manage their digital identities without linking them to real-life personal information (Schneier).
Physical Identities can be obtained by accessing a physical object or by testing for physical attributes. Examples of physical identity include a driver’s license or passport. Digital identities are representations of a person’s real-life characteristics which are stored on the internet. An example of a digital identity is someone’s email address. Finally, anonymity allows an individual to have multiple identities that can be chained together into a secure profile.
When physical identities or digital identities are combined, the result is an anonymous user. Anonymous users can be created in the traditional banking system to allow for more anonymity through pseudonyms. The term pseudonyms is used because these users do not represent their true identity when creating a profile for their bank account. The creation of pseudonyms allows individuals to manage multiple accounts, each having different characteristics (Figueiredo & Moraes).
Identity management is becoming increasingly important as the number of devices that individuals use to access the internet and their personal data increases. Identity management allows a person to easily communicate with other devices and people through a single identifier. To manage all these devices, individuals are turning to Identity Management Systems (IMS). IMSs are systems that facilitate the creation of identity profiles, allowing users to have control over their personal information (Figueiredo & Moraes). This control allows an individual to stop a company from tracking his online behaviors, as well as prevents companies from giving out his personal information like his home address or social security number (Pasquier).
The three most common types of IMSs are: single sign-on (SSO), federated identity management (FIDM) and service-oriented identity management (SOIM). SSO uses a single identifier, such as your email address, to authenticate users to multiple systems. This single identifier is the same for all systems so there is less confusion by companies. FIDM defines a collaborative database which can be accessed by multiple organizations. This allows many companies to share information on a user without compromising any one company’s data. SOIM allows an organization to develop an internal application that is used throughout the company. This allows companies to more closely monitor their users in comparison to FIDM.
Identity management is a complex but necessary system that allows people to have ownership of their digital identities while still having security over their personal data. With the development of IMS, individuals will have more control over how they communicate with companies and other people on the internet.
Some individuals are concerned that IMSs and identity management will give governments greater control over the internet. They argue that by sharing personal information with IMS, governments can use this information to track people’s online activities (Pasquier). While this is possible in some cases, it does not mean that all identity management systems are doing this. There are many identity management tools that allow people to secure their identities by not sharing certain information with others. The best way to avoid this is to use a secure system for managing digital identities, such as X.509 certificates (Schneier).
Many people believe that IMS creates a two-tiered society where there is one class of internet user, who has ownership and control over their personal data and another class who does not (Figueiredo & Moraes). The truth is that even though an IMS will allow you to create profiles for financial institutions, it is not necessary for you to do this in order to have complete control over your data. An individual can have complete control over their data by not allowing companies and the government to access certain information about them. IMSs are designed to make this control easier by providing a way for individuals to manage their information in one place but it is ultimately the individual who has control over personal information.